def list_role_assignments(cmd, assignee_object_id, scope=None): ''' :param include_groups: include extra assignments to the groups of which the user is a member(transitively). ''' graph_client = _graph_client_factory(cmd.cli_ctx) factory = _auth_client_factory(cmd.cli_ctx) assignments_client = factory.role_assignments definitions_client = factory.role_definitions assignments = _search_role_assignments(assignments_client, assignee_object_id) subscription_id = get_subscription_id(cmd.cli_ctx) results = todict(assignments) if assignments else [] if not results: return [] # 1. fill in logic names to get things understandable. # (it's possible that associated roles and principals were deleted, and we just do nothing.) # 2. fill in role names role_defs = list( definitions_client.list(scope=(scope if scope else '/subscriptions/' + subscription_id))) role_dics = {i.id: i.role_name for i in role_defs} for i in results: if role_dics.get(i['roleDefinitionId']): i['roleDefinitionName'] = role_dics[i['roleDefinitionId']] # fill in principal names principal_ids = set(i['principalId'] for i in results if i['principalId']) if principal_ids: try: principals = _get_object_stubs(graph_client, principal_ids) principal_dics = { i.object_id: _get_displayable_name(i) for i in principals } for i in [r for r in results if not r.get('principalName')]: i['principalName'] = '' if principal_dics.get(i['principalId']): i['principalName'] = principal_dics[i['principalId']] except (HttpResponseError, GraphErrorException) as ex: # failure on resolving principal due to graph permission should not fail the whole thing logger.info( "Failed to resolve graph object information per error '%s'", ex) return results
def _create_role_assignment(cli_ctx, role, assignee_object_id, scope): factory = _auth_client_factory(cli_ctx, scope) assignments_client = factory.role_assignments definitions_client = factory.role_definitions scope = '/subscriptions/' + assignments_client.config.subscription_id role_id = _resolve_role_id(role, scope, definitions_client) from azure.mgmt.authorization.models import RoleAssignmentCreateParameters parameters = RoleAssignmentCreateParameters(role_definition_id=role_id, principal_id=assignee_object_id) return assignments_client.create(scope=scope, role_assignment_name=_gen_guid(), parameters=parameters)
def _create_role_assignment(cli_ctx, role, assignee_object_id, scope): factory = _auth_client_factory(cli_ctx, scope) assignments_client = factory.role_assignments definitions_client = factory.role_definitions scope = '/subscriptions/' + assignments_client.config.subscription_id role_id = _resolve_role_id(role, scope, definitions_client) from azure.mgmt.authorization.models import RoleAssignmentCreateParameters parameters = RoleAssignmentCreateParameters( role_definition_id=role_id, principal_id=assignee_object_id) return assignments_client.create(scope=scope, role_assignment_name=_gen_guid(), parameters=parameters)
def _create_role_assignment(cli_ctx, role, assignee_object_id, scope): from azure.cli.core.profiles import ResourceType, get_sdk factory = _auth_client_factory(cli_ctx, scope) assignments_client = factory.role_assignments definitions_client = factory.role_definitions role_id = _resolve_role_id(role, scope, definitions_client) RoleAssignmentCreateParameters = get_sdk(cli_ctx, ResourceType.MGMT_AUTHORIZATION, 'RoleAssignmentCreateParameters', mod='models', operation_group='role_assignments') parameters = RoleAssignmentCreateParameters(role_definition_id=role_id, principal_id=assignee_object_id) return assignments_client.create(scope=scope, role_assignment_name=_gen_guid(), parameters=parameters)
def _create_role_assignment(cli_ctx, role, assignee_object_id, scope): from azure.cli.core.profiles import ResourceType, get_sdk factory = _auth_client_factory(cli_ctx, scope) assignments_client = factory.role_assignments definitions_client = factory.role_definitions role_id = _resolve_role_id(role, scope, definitions_client) RoleAssignmentCreateParameters = get_sdk(cli_ctx, ResourceType.MGMT_AUTHORIZATION, 'RoleAssignmentCreateParameters', mod='models', operation_group='role_assignments') parameters = RoleAssignmentCreateParameters(role_definition_id=role_id, principal_id=assignee_object_id) return assignments_client.create(scope=scope, role_assignment_name=_gen_guid(), parameters=parameters)
def list_role_assignments(cmd, assignee_object_id, scope=None): ''' :param include_groups: include extra assignments to the groups of which the user is a member(transitively). ''' graph_client = _graph_client_factory(cmd.cli_ctx) factory = _auth_client_factory(cmd.cli_ctx) assignments_client = factory.role_assignments definitions_client = factory.role_definitions assignments = _search_role_assignments(assignments_client, assignee_object_id) results = todict(assignments) if assignments else [] if not results: return [] # 1. fill in logic names to get things understandable. # (it's possible that associated roles and principals were deleted, and we just do nothing.) # 2. fill in role names role_defs = list(definitions_client.list( scope=(scope if scope else '/subscriptions/' + definitions_client.config.subscription_id))) role_dics = {i.id: i.role_name for i in role_defs} for i in results: if role_dics.get(i['roleDefinitionId']): i['roleDefinitionName'] = role_dics[i['roleDefinitionId']] # fill in principal names principal_ids = set(i['principalId'] for i in results if i['principalId']) if principal_ids: try: principals = _get_object_stubs(graph_client, principal_ids) principal_dics = {i.object_id: _get_displayable_name(i) for i in principals} for i in [r for r in results if not r.get('principalName')]: i['principalName'] = '' if principal_dics.get(i['principalId']): i['principalName'] = principal_dics[i['principalId']] except (CloudError, GraphErrorException) as ex: # failure on resolving principal due to graph permission should not fail the whole thing logger.info("Failed to resolve graph object information per error '%s'", ex) return results
def list_role_definitions(cmd): definitions_client = _auth_client_factory(cmd.cli_ctx, None).role_definitions scope = '/subscriptions/' + definitions_client.config.subscription_id return list(definitions_client.list(scope))
def list_role_definitions(cmd): definitions_client = _auth_client_factory(cmd.cli_ctx, None).role_definitions scope = '/subscriptions/' + definitions_client.config.subscription_id return list(definitions_client.list(scope))